What to do about it
As with threats against laptops, desktops and servers, all is not lost, Lamb said. The first thing enterprises should do is to create and disseminate a secure-use policy for users of mobile devices that access sensitive data.
"The policy would say what the uses of the device are, who has access, what access to the network they have and what information is allowed on the devices," Lamb said. "It would also define a broad policy and make it known that the policy will be enforced." One important benefit of such a policy is that it will increase end-user awareness of potential threats.
The next step is for IT managers to talk to security experts and vendors to see what mobile security products and services are available, according to Lamb. That includes talking with wireless carriers.
"You need to actively engage with carriers about what they're doing with security, what their security environment is," Lamb said.
He also suggested looking at IP-based mobile networks, such as those using mobile WiMax, when they become available, as opposed to 3G cellular data networks, which are old-style packet-switched networks.
"IP networks allow a lot of technology to be introduced that deals with threats," Lamb said. "They give IT people visibility into the data that that is going to these devices and allows them to be sure that data coming into the devices isn't a threat."
In short, the time has arrived in which IT managers must pay as much attention to mobile security as they do to other security threats, Lamb concluded.